From 069fb11ecc71b0e3df210b4fe7296f54922b727a Mon Sep 17 00:00:00 2001 From: Viet Nguyen Duc Date: Thu, 12 Sep 2024 07:32:08 +0000 Subject: [PATCH] build: transparency on package versions and docker scout policy Signed-off-by: Viet Nguyen Duc --- .github/workflows/deploy.yml | 6 +++++- .github/workflows/nightly.yml | 3 +++ Makefile | 7 +++++++ NodeBase/Dockerfile | 7 +++++++ generate_sbom.sh | 25 +++++++++++++++++++++++++ tests/charts/make/chart_setup_env.sh | 4 ++++ 6 files changed, 51 insertions(+), 1 deletion(-) create mode 100755 generate_sbom.sh diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d71f20ac69..3bf8147fc7 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -151,6 +151,8 @@ jobs: retry_wait_seconds: 300 continue_on_error: true command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make release_latest + - name: Update package versions + run: make generate_latest_sbom - name: Tag browser images if: github.event.inputs.skip-build-push-image != 'true' uses: nick-invision/retry@master @@ -201,4 +203,6 @@ jobs: prerelease: ${{ env.PRERELEASE }} draft: false append_body: false - files: ${{ env.PUBLISH_YAML_MANIFESTS }} + files: | + package_versions.txt + ${{ env.PUBLISH_YAML_MANIFESTS }} diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 948e62ae0d..6c730b627c 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -113,6 +113,8 @@ jobs: max_attempts: 3 retry_wait_seconds: 120 command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make release_nightly + - name: Update package versions + run: make generate_nightly_sbom - name: Push Helm chart to registry uses: nick-invision/retry@master with: @@ -151,6 +153,7 @@ jobs: name: "Nightly" body_path: "release_notes.md" files: | + package_versions.txt ${{ env.CHART_PACKAGE_PATH }} generate_release_notes: true draft: false diff --git a/Makefile b/Makefile index 8e1077fdc5..9e91fe9b11 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,7 @@ CURRENT_PLATFORM := $(shell if [ `arch` = "aarch64" ]; then echo "linux/arm64"; PLATFORMS := $(or $(PLATFORMS),$(shell echo $$PLATFORMS),$(CURRENT_PLATFORM)) SEL_PASSWD := $(or $(SEL_PASSWD),$(SEL_PASSWD),secret) CHROMIUM_VERSION := $(or $(CHROMIUM_VERSION),$(CHROMIUM_VERSION),latest) +SBOM_OUTPUT := $(or $(SBOM_OUTPUT),$(SBOM_OUTPUT),package_versions.txt) all: hub \ distributor \ @@ -341,6 +342,9 @@ release_latest: docker push $(NAME)/standalone-docker:latest docker push $(NAME)/video:latest +generate_latest_sbom: + NAME=$(NAME) FILTER_IMAGE_TAG=latest OUTPUT_FILE=$(SBOM_OUTPUT) ./generate_sbom.sh + tag_nightly: docker tag $(NAME)/base:$(TAG_VERSION) $(NAME)/base:nightly docker tag $(NAME)/hub:$(TAG_VERSION) $(NAME)/hub:nightly @@ -383,6 +387,9 @@ release_nightly: docker push $(NAME)/standalone-docker:nightly docker push $(NAME)/video:nightly +generate_nightly_sbom: + NAME=$(NAME) FILTER_IMAGE_TAG=nightly OUTPUT_FILE=$(SBOM_OUTPUT) ./generate_sbom.sh + tag_major_minor: docker tag $(NAME)/base:$(TAG_VERSION) $(NAME)/base:$(MAJOR) docker tag $(NAME)/hub:$(TAG_VERSION) $(NAME)/hub:$(MAJOR) diff --git a/NodeBase/Dockerfile b/NodeBase/Dockerfile index 6ae9fe89fc..ba6f4bdaba 100644 --- a/NodeBase/Dockerfile +++ b/NodeBase/Dockerfile @@ -136,6 +136,13 @@ RUN --mount=type=secret,id=SEL_PASSWD \ && chgrp -R 0 ${HOME} /tmp/.X11-unix \ && chmod -R g=u ${HOME} /tmp/.X11-unix +# Removing deb packages not compliant with Docker Scount (No AGPL v3 licenses) rule \ +# The image must not contain any software with an AGPL v3 license. +RUN dpkg -r --force-depends fonts-urw-base35 libgs-common libjbig2dec0 libgs10-common \ + ghostscript libgs10 jbig2dec poppler-data \ + && apt-get -qyy autoremove -f \ + && apt-get -qyy clean + # Copying configuration script generator COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-node.sh \ start-xvfb.sh \ diff --git a/generate_sbom.sh b/generate_sbom.sh new file mode 100755 index 0000000000..c32cd8f665 --- /dev/null +++ b/generate_sbom.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +NAMESPACE=${NAME:-selenium} +FILTER_IMAGE_TAG=${FILTER_IMAGE_TAG:-"*"} +OUTPUT_FILE=${OUTPUT_FILE:-"package_versions.txt"} + +# List all Docker images matching tag +images=$(docker images --filter=reference=${NAMESPACE}'/*:'${FILTER_IMAGE_TAG} --format "{{.Repository}}:{{.Tag}}") + +# Check if there are any images +if [ -z "$images" ]; then + echo "No Docker images found." + exit 1 +fi + +echo -n "" >${OUTPUT_FILE} +# Iterate through each image and generate SBOM +for image in $images; do + echo "Generating SBOM for image: $image" + echo "==================== $image ====================" >>${OUTPUT_FILE} + docker sbom $image >>${OUTPUT_FILE} + echo "" >>${OUTPUT_FILE} +done + +echo "SBOM generation completed for all images." diff --git a/tests/charts/make/chart_setup_env.sh b/tests/charts/make/chart_setup_env.sh index 25a732893b..4d4aa162e4 100755 --- a/tests/charts/make/chart_setup_env.sh +++ b/tests/charts/make/chart_setup_env.sh @@ -57,6 +57,10 @@ chmod +x ./docker-compose sudo mv ./docker-compose /usr/libexec/docker/cli-plugins docker compose version echo "===============================" +echo "Install Docker SBOMs plugin" +curl -sSfL https://raw.githubusercontent.com/docker/sbom-cli-plugin/main/install.sh | sh -s -- +docker sbom --version +echo "===============================" if [ "${CLUSTER}" = "kind" ]; then echo "Installing kind for AMD64 / ARM64" curl -fsSL -o ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(dpkg --print-architecture)